INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft March 2023 Patch Tuesday
Published: 2023-03-14
Last Updated: 2023-03-14 19:43:59 UTC
by Renato Marinho (Version: 1)
This month we got patches for 76 vulnerabilities. Of these, 9 are critical and 2 are already being exploited, according to Microsoft.
One of the exploited vulnerabilities is an elevation of privilege affecting Microsoft Outlook (CVE-2023-23397). According to the advisory, an attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. The attacker could exploit this vulnerability by sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane. The CVSS for this vulnerability is 9.8.
The second exploit vulnerability is a security feature bypass affecting Windows SmartScreen (CVE-2023-24880). According to the advisory, an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4.
There is another critical vulnerability worth mentioning which is Remote Code Execution (RCE) affecting HTTP Protocol Stack (CVE-2023-23392). A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled and the server uses buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. This vulnerability requires no user interaction, no privileges, and the attack complexity is low. The CVSS for this vulnerability is 9.8.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+March+2023+Patch+Tuesday/29634/
Incoming Silicon Valley Bank Related Scams
Published: 2023-03-13
Last Updated: 2023-03-13 14:53:24 UTC
by Johannes Ullrich (Version: 1)
Any big news story tends to attract its set of scams. We have seen this happening for disasters, political events, and wars. So it isn't a big surprise that last week's failure of Silicon Valley Bank is starting to get some traction.
If you see any scams (phishing, malware...): Please let us know via our contact page or email (handlers - at - isc.sans.edu )
The failure of Silicon Valley Bank has some particularly enticing properties for scammers:
It involves a lot of money
Urgency: Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now?
Uncertainty: For many, it isn't clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?)
All this is bound to result in some simple but also targeted scams.
You should expect some targeted scams if it is known that you or the company you work for banks with SVB. Most of the time, this information is more or less public. Expect not just email but also SMS or phone call scams.
Some of the legitimate offers may be indistinguishable from scams. People may offer loans or legal services to affected companies. As with natural disasters in the past, we also see law firms setting up dedicated pages to attract clients for an eventual lawsuit.
We do already see a little race to register SVB related domains
Read the full entry:
https://isc.sans.edu/diary/Incoming+Silicon+Valley+Bank+Related+Scams/29630/